• State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 4 replies
  • Subscribers 93 subscribers
  • Views 2026 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Time-Based rate limiting for Ad-hoc projections

gwickert
over 5 years ago

Hi All,

Is there any way in One Identity v8.01 to implement time window based rate limiting for ad-hoc projections.

Ideally, I'd like to be able to configure a rule such as "If X amount of ADS password updates occur within Y time, halt ad-hoc projections, notify admin, and do not start projections until approved by an administrator".

X might be 50 password resets, Y may be a time frame of 60 seconds, 5 minutes, etc.

Any help appreciated.

Glen.

Parents
  • +1 over 5 years ago

    Old thread but thought I'd post solution.

    Basically I put change tracking on for ADSAccount.UserPassword. I then placed an additional step into the ADS_ADSAccount_Update/(De-)activate process which looks at the password events on the DialogWatch* tables for a given time window, counts up all of the events, and then checks if that count within that window is less than the threshold. If it breaches, the step will freeze and then set a config param (i.e. ThresholdBreached) to true, which will then cause all ADS_ADSAccount_Update/(De-)activate process to error and remain in the queue. An admin can then come in and make a decision RE letting the jobs process or not.

    Works nicely, and is fairly simple to set up.

Reply
  • +1 over 5 years ago

    Old thread but thought I'd post solution.

    Basically I put change tracking on for ADSAccount.UserPassword. I then placed an additional step into the ADS_ADSAccount_Update/(De-)activate process which looks at the password events on the DialogWatch* tables for a given time window, counts up all of the events, and then checks if that count within that window is less than the threshold. If it breaches, the step will freeze and then set a config param (i.e. ThresholdBreached) to true, which will then cause all ADS_ADSAccount_Update/(De-)activate process to error and remain in the queue. An admin can then come in and make a decision RE letting the jobs process or not.

    Works nicely, and is fairly simple to set up.

Children